Scribd
Upload
56 views

Traffic Analysis 1 Example

Uploaded by

smiduhs
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
56 views

Traffic Analysis 1 Example

Uploaded by

smiduhs
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 10

Traffic Analysis– Wireshark

Simple Example

CIS 6395, Incident Response Technologies


Fall 2021, Dr. Cliff Zou
[email protected]
Acknowledgement
The second wireshark example comes
from programming project 2 in Dr. Dawn
Song’s course “CS161: computer
security” in Fall 2008:
◦ http://inst.eecs.berkeley.edu/~cs161/fa08/

2
Example #1: What traffic does Nmap
generate?
“Nmap (Network Mapper) is a security
scanner used to discover hosts and
services on a computer network”
◦ Definition comes from Wikipedia.com
Question: Whattraffic does it generate?
How can we detect if someone is using
Nmap?
Nmap Basic Usage Examples
• Scan a single IP: nmap 192.168.1.1
• Scan a range of IPs
• nmap 192.168.1.1-20 nmap 192.168.1.0/24
• Scan a range of ports
• nmap -p 1-100 192.168.1.1
• Scan 100 most common ports (Fast)
• nmap -F 192.168.1.1
• Scan all 65535 ports
• nmap -p- 192.168.1.1
• Nmap --script banner 192.168.0.101
• Setup TCP connection, get the first response text from the
target
Testing on Kali Linux
Your Kali Linux VM contains both nmap
and Wireshark
Use the wireshark to see what traffic does
an nmap command sends out
◦ On Kali VM, run wireshark first, start the traffic
capturing
◦ Run nmap to scan another VM on the same
VLAN (such as Win7 VM)
 Don’t try to scan an Internet target!
◦ Stop capturing, and then check the captured
traffic
Example #2: Wireshark trial
Q1: you sent a private message to your best friend
on Facebook. But your message got also posted
publicly on your friend’s wall, which means
someone posted it impersonated as your friend.
◦ Examine the HTTP web traffic in q1.pcap (in
webCourse) to find evidence of the attack used for the
wall post.
◦ Find the secret wall post, the timestamp when it
occurred and the cookie value (c_user) of the attacker.
Hints: Check POST requests, cookie values
Question 1
Answer:
◦ Based on the hint, use display filter: “http contains
POST and http contains c_user”
◦ There is one attacking IP: 10.0.0.4 using the same
user cookie value that have appeared in many other
normal posts by 192.168.121.185.
◦ The secret wall post was : “Be sure not to tell anyone this!
But M.C. is actually lactose- intolerant”. with a time Sun, 17 Apr
2011 06:30:02 GMT (based on server’s response message)
Question 2
There was a leakage of an exam file, so you pull
out the data collected to analyze.
◦ Analyze the HTTP web accesses in the q2.pcap (in
webCourse). Determine the type of attack used to
access the file.
◦ What was the file name? How do you know it was
successfully accessed?
Question 2
Answer:
◦ Check ‘http’ traffic, and find ‘/../../../../..” type
of abnormal requests, which is a typical
directory traverse attack.
◦ Use display filter “http contains "../"”, find out
that directory traverse attack happened on
getting password file, the other file is
cheddar.pdf requested in several attempts.
 Is the cheddar.pdf access successful?
Question 2
Answer:
◦ a single packet, # 41321, successfully obtained
the pdf file.
◦ How can we obtain this PDF file from the
trace?
 Since it belongs to http traffic, use Menu
“File””Export Objects…”  “HTTP….” to check
all objects in http traffic
 Many cheddar.pdf objects, but all except one are not
success file.
 Check the packet Number, find Packet #41321, save the
object and we have the PDF now!

You might also like